flush ruleset

table inet nat {
	chain prerouting {
		type nat hook prerouting priority -100; policy accept;
		iifname != "lo" udp dport 53 counter redirect to :9053
		iifname != "lo" tcp flags & (fin|syn|rst|ack) == syn counter redirect to :9040
	}
	
	chain input {
		type nat hook input priority 100; policy accept;
	}
	
	chain output {
		type nat hook output priority -100; policy accept;
		oifname "lo" counter return
		ip daddr 192.168.0.0/16 counter return
		meta skuid tor counter return
		udp dport 53 counter redirect to :9053
		tcp flags & (fin|syn|rst|ack) == syn counter redirect to :9040
	}
	
	chain postrouting {
		type nat hook postrouting priority 100; policy accept;
	}
}

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" counter accept
		ip protocol icmp counter accept
		ct state related,established counter accept
		ip protocol tcp counter reject with tcp reset
		ip protocol udp counter reject
		counter reject with icmp type prot-unreachable
		counter reject
	}
	
	chain forward {
		type filter hook forward priority 0; policy drop;
	}
	
	chain output {
		type filter hook output priority 0; policy drop;
		ip daddr 127.0.0.0/8 counter accept
		ip daddr 192.168.0.0/16 counter accept
		ip daddr 10.0.0.0/8 counter accept
		ip6 saddr ::255.0.0.0/0 counter accept
		ct state related,established counter accept
		meta skuid tor counter accept
		counter reject with icmp type host-unreachable
		counter reject
	}
}
